Definition · Plain-language
Lawful basis
A lawful basis is the legal ground, set out in GDPR Article 6, on which an organisation is permitted to process personal data.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
The six bases
GDPR Article 6 lists six lawful bases. Consent is a freely given, specific and informed agreement. Contract covers processing needed to fulfil an agreement with the person. Legal obligation applies where a law requires the processing. Vital interests covers protecting someone’s life. Public task supports official functions carried out in the public interest. Legitimate interests allows processing necessary for the interests of an organisation or third party, provided these are not overridden by the individual’s rights. No single basis is inherently superior; the right one depends on the situation.
Choosing and documenting a basis
The appropriate basis depends on the purpose and context of the processing, and it should be identified before processing begins. The choice has consequences: for example, the lawful basis can affect which data subject rights apply most strongly. Processing special category data requires an additional condition on top of the Article 6 basis. Recording the reasoning behind the chosen basis supports the accountability principle and helps an organisation explain its processing clearly to individuals.
Lawful basis in research
Research often relies on public task or legitimate interests rather than consent, particularly for secondary use of data, while ethical consent for participation remains important in its own right. Distinguishing the lawful basis for processing from research-ethics consent avoids confusion, since the two operate in parallel. Identifying the basis early, alongside any privacy impact assessment, helps teams handle personal data transparently and supports trustworthy data sharing aligned with open and FAIR principles.
Key facts
At a glance
- Definition: the legal ground permitting processing of personal data
- Source: GDPR Article 6(1)
- Six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests
- Requirement: at least one basis must apply
- Special data: needs an extra Article 9 condition as well
- No hierarchy: the right basis depends on purpose and context
Common misconceptions
What people often get wrong
Often heard: Consent is always the best or required lawful basis.
Actually: No basis is inherently superior. Consent is one of six, and other grounds such as public task or legitimate interests are often more appropriate, especially in research contexts.
Often heard: You can switch lawful basis freely once processing has started.
Actually: The basis should be identified before processing begins and not swapped casually, because the choice affects individuals’ rights and the organisation’s obligations.
Often heard: Having a lawful basis is all you need to process special category data.
Actually: Special category data needs both an Article 6 lawful basis and a separate Article 9 condition specifically permitting the sensitive processing.
Going deeper
